1. PURPOSE OF THIS NOTICE
This notice describes how we collect and use personal data about you, in accordance with the General Data Protection Regulation (GDPR), the Data Protection Act and any other national implementing laws, regulations and secondary legislation, as amended or updated from time to time, in the UK (‘Data Protection Legislation’).
Please read the following carefully to understand our practices regarding your personal data and how we will treat it.
For the purpose of the Data Protection Legislation and for most instances referred to within this notice, we are the ‘data controller’. This means that we are responsible for deciding how we hold and use personal data about you.
When we are engaged in providing payroll services for an employer, our client is the employer and data controller, and we are a data processor.
Whichever capacity we are acting in we are required under the Data Protection Legislation to notify you of the information contained in this privacy notice.
We have appointed a Data Protection Partner. Our Data Protection Partner is our Data Protection Point of Contact and is responsible for assisting with enquiries in relation to this privacy notice or our treatment of your personal data. Should you wish to contact our Data Protection Point of Contact you can do so using the contact details noted at paragraph 10 (Contact Us), below.
2. HOW WE MAY COLLECT YOUR PERSONAL DATA
We obtain personal data about you, for example, when:
- you contact us by email, telephone, post (for example when you have a query about our services);
- you request a proposal from us in respect of the services we provide; or
- you OR your employer engages us to provide our services and also during the provision of those services.
3. THE KIND OF INFORMATION WE HOLD ABOUT YOU
The personal information we collect from you will vary depending on which services you (or your employer) engages us to deliver. The personal information we collect might include your name, address, telephone number, email address, your Unique Tax Reference (UTR) number, your National Insurance number, and bank account details.
4. HOW WE USE PERSONAL DATA WE HOLD ABOUT YOU
We may process your personal data for purposes necessary for the performance of our contract with you OR your employer and to comply with our legal obligations.
In general terms, and depending on which services we are provided to engage, as part of providing our agreed services to you or your employer we may use your information to:
- Contact you by post, email or telephone
- Verify your identity where this is required
- Understand your needs and how they may be met
- Maintain our records in accordance with applicable legal and regulatory obligations
- Process financial transactions
- Prevent and detect crime, fraud or corruption
We are required by legislation, other regulatory requirements and our insurers to retain your data where we have ceased to act for you. The period of retention required varies with the applicable legislation but is typically five or six years. Our engagement letters have for several years consistently stated that records are held for seven years, and we apply this policy to electronic records as well as physical records.
At the time of initially publishing this privacy statement we have accordingly identified the steps to be taken to ensure that we will not be holding in perpetuity any personal data for ex-clients which pertains to tax returns preceding the year-ended 5 April 2010 and similarly will not have access to the tax return records prior to this year-end for continuing clients.
5. WHO HAS ACCESS TO YOUR INFORMATION
We will not sell or rent your information to third parties.
We will not share your information with third parties for marketing purposes.
Any staff with access to your information have a duty of confidentiality under the ethical standards that this firm is required to follow.
Third party service providers working on our behalf
We may pass your information to our third party service providers, agents, and other associated organisations for the purposes of completing tasks and providing services to you on our behalf, for example to process payroll. However, when we use third party service providers, we disclose only the personal information that is necessary to deliver the service and we have a contract in place that requires them to keep your information secure and not to use it for their own purposes.
Please be assured that we will not release your information to third parties unless you have requested that we do so, or we are required to do so by law, for example, by a court order or for the purposes of prevention and detection of crime, fraud or corruption.
6. SECURITY PRECAUTIONS IN PLACE TO PROTECT THE LOSS, MISUSE OR ALTERATION OF YOUR INFORMATION
Whilst we strive to protect your personal information, we cannot guarantee the security of any information you transmit to us, and you do so at your own risk.
Once we receive your information, we make our best effort to ensure its security on our systems. Where we have given, or where you have chosen, a password which enables you to access information, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.
We have put in place commercially reasonable and appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
Your data will usually be processed in our office in the UK. However, to allow us to operate efficient digital processes, we sometimes need to store information in servers located outside the UK, but within the European Economic Area (EEA). We take the security of your data seriously and so all our systems (and any third-party software providers who host data which is accessed via the cloud) have appropriate security in place that complies with all applicable legislative and regulatory requirements.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
7. RIGHTS OF ACCESS, CORRECTION, ERASURE, AND RESTRICTION
Your duty to inform us of changes
It is important that the personal data we hold about you is accurate and current. Should your personal information change, please notify us of any changes of which we need to be made aware by contacting us, using the contact details below.
Your rights and your personal data
You have the following rights with respect to your personal data:
- The right to access information we hold on you
- The right to correct and update the information we hold on you
- The right to have your information erased
- The right to object to processing of your data
- The right to data portability
- The right to object to the processing of personal data where applicable
- The right to lodge a complaint with the Information Commissioner’s Office
When exercising any of the rights listed above, in order to process your request, we may need to verify your identity for your security. In such cases we will need you to respond with proof of your identity before you can exercise these rights.
Any requests from existing or former clients regarding the personal information that we hold for them will be complied with, within the timeframe required by GDPR.
8. RIGHT TO WITHDRAW CONSENT
In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal data for a specific purpose (for example, in relation to direct marketing that you have indicated you would like to receive from us), you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please email our Data Protection Partner Richard Hill at firstname.lastname@example.org.
Once we have received notification that you have withdrawn your consent, we will no longer process your personal information (personal data) for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
9. CHANGES TO THIS NOTICE
We keep this privacy notice under regular review and any updates will be able to be found at www.gsmaccountants.co.uk/privacynotice. Paper copies of the privacy notice may also be obtained from:
Griffin Stone Moscrop & Co
21-27 Lamb’s Conduit Street
This privacy notice was last updated on 23 May 2018.
10. CONTACT US
If you have any questions regarding this notice or if you would like to speak to us about the manner in which we process your personal data, please email our Data Protection Partner Richard Hill at email@example.com or telephone 0207 935 3793.
You also have the right to make a complaint to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues, at any time. The ICO’s contact details are as follows:
Information Commissioner's Office
Telephone - 0303 123 1113 (local rate) or 01625 545 745
Website - https://ico.org.uk/concerns